Indonesian Coordinating Minister for Political, Legal and Security Affairs Marshal (ret.) Hadi Tjahjanto revealed the results of the forensic investigation into the cause of the cyber attack on the temporary National Data Center (PDN)-2 located in Surabaya, East Java.
“From the results of the forensic investigation, we were able to find out who the user is who [negligently] “He used his password and eventually caused these very serious problems,” Tjahjanto said after a coordination meeting with the Minister of Kominfo and the head of the National Cyber and Cryptography Agency (BSSN) in Jakarta on July 1.
The government will take legal action against the person in accordance with applicable rules.
Tjahjanto stressed that cybersecurity protocols in every government agency must be strengthened immediately after this incident. In the future, users accessing the temporary PDN system will be monitored directly by the BSSN, including in terms of password usage.
“When determining and using passwords, we must be careful, we can no longer be careless,” he said.
The Brain Chiper ransomware attacked the temporary PDN-2 in the early hours of June 20, crippling more than 200 central and local government services, including immigration checkpoints and autogate services at five overseas arrival points.
The BSSN detected an attempt to disable system security features three days before the attack, which allowed the malicious activity to continue.
All services are expected to be restored this month
Minister Tjahjanto explained that the government is currently operating the temporary PDN-1 located in Batam, Riau Islands, as a disaster recovery center (DRC). “With the capacity upgrade to a hot site, the affected strategic public services can be restored this month.”
The government will also prepare data placement and backup arrangements in layers according to the level of data classification ranging from strategic data, limited data and open data.
Tjahjanto stressed that this data backup will be done using cloud services. “General data such as statistical data and others will be stored in the cloud, so as not to fill the capacity of the PDN,” he added.
Data backup will be mandatory
When the House of Representatives summoned BSSN chief Hinsa Siburian and Kominfo Minister Budi Arie Setiadi on June 27 for a hearing on the incident, it was revealed that the agencies’ compliance with cybersecurity protocols and data governance was weak.
Siburian revealed that only 2% of the PDN-2’s temporary data has been backed up. This means that it is almost certain that most of the data will be lost. “This is the result of our checks; the cause is the lack of backups.”
He also referred to BSSN Regulation No. 4 of 2021 on Guidelines for Information Security Management of Electronic Government Systems. The directive states: “Every tenant is required to periodically back up information and software in PDN.”
Meanwhile, Setiadi explained that many government agencies do not have data backups because there is no budget or due to difficulties in explaining the need and urgency of having data backups to auditors.
“We will soon be developing regulations that will make data backup mandatory and no longer optional,” he said.
However, the two officials agreed to sit down together to quickly determine the next steps in developing a PDN ecosystem architecture with a sustainable and permanent level of cybersecurity.
A weak password indicates that PDN management is unprofessional
Pratama Persadha, president of the Communication and Information Systems Security Research Center, told Kompas that the omission of the password showed that the PDN manager was unprofessional. Indeed, creating strong passwords is a basic lesson in networking.
“If it is true that the Kominfo Ministry or the tenants are using passwords that are easy to guess, easy to crack, it means that their course is not an IT management course,” Pratama said.
Pratama stressed that creating a strong password is a basic lesson when using the network. It should include at least eight characters, be composed of upper and lower case letters, use symbols, use two-factor authentication, change passwords regularly, etc. In addition, access to passwords should be limited.
